#1 2016-05-09 6:33 pm

tirrorex

Member

Registered: 2016-05-09

Posts: 6

Ip from dedicated server listed as spamming

Hello, it seems as of today the ip of my server (62.210.211.148) is listed as spamming with an email adress i do not know.
Since i don't have anything on this server except for a torrent and a plex server inside a docker container i assume it is safe to say i've been hacker (ssh listing 65000 login attempts confirm this).
Anyway, since apparently it is not possible to get an ip from online.net unlisted i would like to know if it is possible to get any logs of what happened?
If my server did indeed spammed something you have traces right?
I would like to see them in order to remove any potential bad software running on my server as i have no idea what i am looking for, i changed ssh access but it is still possible that some process is running in the background and i would like to know.

I cannot stress enough how important this is since i only have 48hours to solve this issue before they shut down my server.

Thanks

Last edited by tirrorex (2016-05-09 6:35 pm)

sklerder

Member

Registered: 2012-10-11

Posts: 336

Website

Re: Ip from dedicated server listed as spamming

Hi !

I don't know where your problem come from, but it seems your system has been hacked.
The log you could obtain here will/would be largely insufficient, because the worst is probably not the fact your IP is listed here, but that your system may have been largely compromised.
The best logs should be those of your system, admitting they have not been compromised too

A good idea would be to reinstall this system completely from scratch, in case it has been very deeply hacked.

When it will be sane, you could have need of some tools to help protect your system from such attacks.

Here are some tools I use to avoid this kind of disturbance ...
In order to harden access through SSH, its a good idea to choose another port than 22 to listen for SSH.
Some tools may be useful, as :
-  fail2ban (can detect and ban IPs trying too hardly to connect on your own SSH port and other ports on which you are running services),
-  portsentry (to detect attacks on opened ports),
-  rkhunter (to detect attacks that modified files and properties on your system).

And, of course, have a system as up to date as possible, particularly those used as services opened to Internet (SSH, Web server, ...).

tirrorex

Member

Registered: 2016-05-09

Posts: 6

Re: Ip from dedicated server listed as spamming

Where should i look in my system for those logs? i have no idea.

Reinstall my system would be too much of a hassle, i mean, the only thing i have on my serve are movies and software, i don't have any private informations whatsoever.
If i didn't receive a warning about the fact that my provider could shut me down i wouldn't even care about being hacked.

Thanks for the tools i'll look into that, however, switching ssh port in never a good idea, there are better and more secure solutions (which i should've implemented, was just being lazy here).

I think i'll just remove ssh connection from my server, i have console access through idrac controller so i don't need it.

What i fail to understand is what i spammed and how did i spam it?
It is ddos attack using my bandwith or something else entirely?
Also there is a russian mail adresse in the spam report, who does it belong too?

Last edited by tirrorex (2016-05-09 8:43 pm)

Papa Parrot

Member

From: Mexico

Registered: 2011-08-19

Posts: 1,826

Website

Re: Ip from dedicated server listed as spamming

If my server did indeed spammed something you have traces right?

I see the one listing here:
www.stopforumspam.com/search/62.210.211.148
That says it is a "toxic IP",..

If i didn't receive a warning about the fact that my provider could shut me down i wouldn't even care about being hacked.

Well you should care, I mean you are responsible for what is going on with the server, and
you are responsible if it is being used by a "botnet".
And it certainly looks like that is what you are doing, hosting russian botnets:
http://botscout.com/ipcheck.htm?ip=62.210.211.148
----------
https://cleantalk.org/blacklists/62.210.211.148
And that just scratches the surface,  and as the server owner you are responsible.

If you are asking to get the listing removed , from  hereyou need to use the "contact" button >removal , and fill
out the form.
http://www.stopforumspam.com/removal
As far as the other places it is listed at, you would need to contact them.

Where should i look in my system for those logs?

What kind of server is it ? What OS powers it ?
All my system logs are here:

/var/log

The server logs are here:

/var/log/nginx$ ls
access.log  access.log.1  access.log.2.gz  access.log.3.gz  error.log

The locations would vary depending on how the server is set up, what kind of server it is, and what the host system is.
For example, and just guessing, if it is "apache" it probably would be:
/var/log/apache,
If it is a "windows" server, I have no clue.

---

Everything is for the Birds

And now, Papa Parrot and his kids

sklerder

Member

Registered: 2012-10-11

Posts: 336

Website

Re: Ip from dedicated server listed as spamming

.../
If it is a "windows" server, I have no clue.

Well, sorry I didn't think it could be a possibility

IMHO, Windows is not a system for services opened to Internet ...

I didn't verify, but :
- fail2ban could (should ?) work on Windows, as it uses Python ...
- portsentry and rkhunter are used on Linux systems, preferably Debian based, but should not work on Windows system.

tirrorex

Member

Registered: 2016-05-09

Posts: 6

Re: Ip from dedicated server listed as spamming

Oh my, botnets...
I thought this was just a basic attack
Well this is worst and indeed formating would be the safest way to get rid of those, didn't know my server was used to infect other people.
Thought solving the ssh issue would be enough

What i meant by i don't care is that i don't have sensitive datas so no harm is being done to me, this botnet thing changes everything.

I cannot fix this today, i managed to get locked out of my system while doing some changes on the sshd_config and my  bandwith is not strong enough to connect through idrac.

Server is running centos, will download my remaining files and wipe it first thing tomorrow, wanted to switch to promox anyway now seems like a good time to do it.

Thanks for the tips to prevente bruteforce attack, will had an ssh key, better be safe

About the removal, it is stated that you guys don't remove online.net ip from the list.
Since i don't use my serv except for download i assume being blacklist isn't necessary a bad thing?

Papa Parrot

Member

From: Mexico

Registered: 2011-08-19

Posts: 1,826

Website

Re: Ip from dedicated server listed as spamming

Well, sorry I didn't think it could be a possibility

IMHO, Windows is not a system for services opened to Internet ...

  I agree there, it should not be used, but surprisingly there are a lot of
them that do use it.
------------------------------------

Server is running centos,---

From:https://www.centos.org/docs/5/html/CDS/ … Files.html

/var/log/dirsrv/slapd-instance_name directory for storing log files

---

Everything is for the Birds

And now, Papa Parrot and his kids

tirrorex

Member

Registered: 2016-05-09

Posts: 6

Re: Ip from dedicated server listed as spamming

Thanks garry, just a quick last question.
Are botnets scripts running in the background or do they duplicate themselves into directories like worms?
I will backup 1to of datas and i don't want to risk infect my home os...

Papa Parrot

Member

From: Mexico

Registered: 2011-08-19

Posts: 1,826

Website

Re: Ip from dedicated server listed as spamming

I do not know how to answer that, in short simple way it is pretty complicated,
You can look at these:
What are botnets and how do they work ?   

Yes there is a risk of them infecting your home system, and other peoples as well, that is why your hosting is
anxious to have you fix it, or they will shut it down, they do not want to be responsible either.

I don't know where your problem come from, but it seems your system has been hacked.

It certainly "seems" like it, and it is clear someone or somethings, are using the IP, and maybe actually using
the server, but you need to check it all out closely , before jumping to conclusions..
  It sounds like maybe you may need to find some sort of "professional", or somebody to help you
with the administration of this server,  Does the hosting provide any support ?

---

Everything is for the Birds

And now, Papa Parrot and his kids

tirrorex

Member

Registered: 2016-05-09

Posts: 6

Re: Ip from dedicated server listed as spamming

I googled that already but didn't get a clear answer on how botnets operates.
Will just scanning datas for viruses, mcafee should handle this kinda thing.]

I had 65000 login attempts on ssh and botnet spamming with my ip so...

Why would i need a professional for? I can wipe the server and secure it afterwards myself, didn't think i needed any protection to begin with, i suppose one cannot be lazy with security.

The support from the hosting company is limited for non professional use and i will not pay someone to secure a seedbox, only thing i use my server for is downloading torrents (from trusted sources) and videostreaming them.

pedigree

uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı

From: New Zealand

Registered: 2008-04-16

Posts: 7,056

Re: Ip from dedicated server listed as spamming

It's listed as a toxic IP due to the amount of spam coming from Iliad-Entreprises network and their complete refusal to respond to any abuse reports or even personal enquiries about abuse.  To date they have refused to reply to any contact or to action any reports.

Change your SSH port and use IPtables with port knocking if they find it.

crfriend

Member

From: MA/USA

Registered: 2012-11-18

Posts: 87

Re: Ip from dedicated server listed as spamming

Better still than simply changing the port that sshd listens on would be to do that *and* configure iptables to ignore (drop -- and log) inbound connections to both port 22 and your new one that have the SYN bit set and no ACK bit from *all* hosts save for a few that you pick that have static IP addresses.  In short, allow from a tiny set of trusted hosts and drop connection attempts from *anywhere* else.

Also, don't allow password access -- demand a proper key exchange.  That's harder for a cracker to fake.

rblg

Member

Registered: 2013-06-14

Posts: 231

Re: Ip from dedicated server listed as spamming

...only thing i use my server for is downloading torrents (from trusted sources) and videostreaming them.

Sounds like copyright infringement to me.

tirrorex

Member

Registered: 2016-05-09

Posts: 6

Re: Ip from dedicated server listed as spamming

...only thing i use my server for is downloading torrents (from trusted sources) and videostreaming them.

Sounds like copyright infringement to me.

There is no copyright on hdtv files, mind you own business

lisati

Member

From: Porirua, New Zealand

Registered: 2011-04-14

Posts: 340

Re: Ip from dedicated server listed as spamming

There is no copyright on hdtv files, mind you own business

Whether there is or isn't depends on the contents of the files and the jurisdiction. Let's move on.

carbonize

Member

Registered: 2010-12-14

Posts: 231

Re: Ip from dedicated server listed as spamming

...only thing i use my server for is downloading torrents (from trusted sources) and videostreaming them.

Sounds like copyright infringement to me.

There is no copyright on hdtv files, mind you own business

Think you will find that whilst the files may not be copyrighted their contents are.

rblg

Member

Registered: 2013-06-14

Posts: 231

Re: Ip from dedicated server listed as spamming

Think you will find that whilst the files may not be copyrighted their contents are.

Yep.

...mind you own business

Send me a link to your website, and see how fast the authorities come knocking on your door.

I am very skeptical of your claim that you've been hacked.